top of page

Phishing Incident Response Plan: Investigation stage

When your client’s end users report a real phishing attack in their inboxes, it could be a one-off situation. But it could also be the first sign that several members of their team have been subjected to attacks, but not everyone has reported the message.

Catching an attack early is key to mitigating the outbreak, stopping the attack or reducing the impact. While the average time to detection for ransomware is 11 days, the earlier you can catch a breach, the more time you’ll have to stop it or reduce the impact.

Having a process in place for your team (alongside your client) to investigate these attacks can help catch an attack in progress or stop one from starting. These investigation steps are a baseline that your MSP can use to begin building your phishing incident response process. You may decide to expand on these steps for individual clients, add specific questions or include alternate strategies.

1. Scope the attack. If you are notified that a potential phishing attack is underway, either by a user, customer, or partner:

  • Determine the total number of impacted users

    • Tally reported attacks

    • Communicate with the team to determine where else the message was sent

  • Determine which users took actions in response to the phishing email (did they download the attachment, visit the spoofed site or give out any personal or business information such as credentials?)

  • Find any potentially related activity.

    • Suspicious social media posts, messages, etc.

    • Other potentially suspicious emails

    • Additional emails with links to external and unknown URLs

    • Non-returnable or non-deliverable emails

    • Any notifications of suspicious activity

2. Analyze the message using a known clean device

Do not open phishing messages on a device with access to sensitive data or credentials as the message may contain malware. In this step you’ll need to determine:

  • Who was targeted by the message.

    • This may be different from the "successful" recipients. Check who the message was sent to for misspelled alternate email addresses or names in greetings.

  • Email address of the sender

  • Subject line

  • Message body

  • Attachments (do not open attachments except according to your team’s pre-established procedures)

  • Links, domains, and hostnames included in the message (do not follow links except according to your team’s pre-established procedures)

  • The email metadata, including message headers

    • Sender information from the 'from' field and the cross-authenticated user header

    • All client and mail server IP addresses

  • Note any "quirks" or suspicious features of the email

3. Analyze links and attachments

  • Use passive collection such as nslookup and whois to find IP addresses and registration information

  • Find related domains using OSINT (e.g., reverse whois) on email addresses and other registration data

  • Submit links, attachments, and/or hashes to VirusTotal

  • Submit links, attachments, and/or hashes to a malware sandbox such as Cuckoo, Hybrid Analysis, Joe Sandbox, or VMray.

4. Categorize the type of attack that has been received (BEC, spear phishing, etc.)

5. Determine the severity of the attack by considering:

  • Whether public or personal safety is at risk

  • Whether personal data (or other sensitive data) is at risk

  • Any evidence of who is behind the attack

  • Number of affected assets

  • Preliminary business impact

  • Whether services are affected

  • Whether you are able to control/record critical system

Once you’ve completed these steps, move to the remediation stage of the phishing incident response process.

Building a comprehensive Phishing Incident Response plan with your clients can save both you and your client valuable time. Download the Phishing Incident Response workbook, to create each of your client’s unique phishing incident response plan.

We’ll guide you through the four stages of phishing incident response: investigation, recovery, communication and remediation and provide helpful resources that give you the information you and your clients need to respond to a phishing incident.


Learn more about HacWare: MSP partners can decrease the likelihood their end users will click on a phishing email by 60%. Let us help you empower your client's end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to build them into your client's first line of defense against cyber attacks.

Learn more about our partner program and how we can support your MSP's growth!

bottom of page